Forwarded from: security curmudgeon <jericho@private>
Cc: sberinato@private
This was certainly an interesting article. Bit naive.. bit of FUD.. bit of
hypocrisy.. it had it all! All in all, I rate this piece a Big load of
crap. Comments inline..
: http://www.cio.com/archive/031505/security.html
:
: BY SCOTT BERINATO
:
: Professor Hannu H. Kari of the Helsinki University of Technology is a
: smart guy, but most people thought he was just being provocative when he
: predicted, back in 2001, that the Internet would shut down by 2006.
: "The reason for this will be that proper users' dissatisfaction will
: have reached such heights by then that some other system will be
: needed,"
I don't think I need to cover how absurd "the internet would shut down"
is. Hell, people still have trouble defining it, let alone declaring "it"
shut down.
: Kari holds dozens of patents. He helped invent the technology that
: enables cell phones to receive data. He's a former head of Mensa
: Finland. Still, many observers pegged him as an irresponsible doomsayer
: and, seeing as how he consults for security vendors, a mercenary one at
: that.
Sounds like another case of academia promoting their ideas without
grounding themselves in a healthy dose of reality. Mensa and patents mean
nothing really. I think he is confusing user disgust with the internet
being "shut down". And for all of his stats on worms and viruses and
cyberattacks and spam (and oh my!), i'd love to see his statistics showing
any trend of portions of the internet "shutting down" or users giving up
on the net completely due to frustration. Sure, lots of bad things
continue to happen and the trend is growing.. but how about this result he
predicts? Any statistics or trends to back the rest?
: attacking the machines it targeted. Paul Stich, CEO of managed
: security provider Counterpane, reports that attempted attacks on his
: company's customers multiplied from 70,000 in 2003 to 400,000 in 2004,
: an increase of over 400 percent. Ed Amoroso, CISO of AT&T, says that
I think we're close to the ten year anniversary of asking journalists (and
most security professionals) the following question:
What exactly do you mean by 'attack'?
Remember, a lot of these FUD spreaders (including .gov agencies) count a
*ping* as an attack. Without qualifying what 'attack' means, any statistic
that mentions said 'attacks' are *worthless fluff*.
: among the 2.8 million e-mails sent to his company every day, 2.1
: million, or 75 percent, are junk. The increasing clutter of online junk
: is driving people off the Internet. In a survey by the Pew Internet and
: American Life Project, 29 percent of respondents reported reducing their
: use of e-mail because of spam, and more than three-quarters, 77 percent,
: labeled the act of being online "unpleasant and annoying." Indeed, in
And how many of those people STOPPED using the net as a result? Almost
everyone I know thinks that driving to and from work is "unpleasant and
annoying", yet less than 0.01% stopped doing it.
: Kari may have overstepped by naming a specific date for the Internet's
: demise, but fundamentally, he's right. The trend is clear.
The *trend* has been there for a DECADE. Why say 2006 again?
: What was left was an impressive, broad and, sometimes, even fun list of
: Big Ideas to fix information security. Let's hope some take shape before
: 2006.
:
: Get All the Smart People Together and Give Them Lots of Money
: The best place to start is with a Big Idea to concentrate and organize
: all the other big ideasa Manhattan Project for infosecurity.
Great idea, who pays the bill? Who determines the "smart people"? How long
does it take for them to define the problems before developing technical
solutions? Once they figure out brilliant solutions, how do you get
everyone to implement them?
: Hire a Czar
: A surgeon general-like figure for security is not only a Big Idea; it's
: a popular one. Several folks suggest creating some kind of "government
: leader" or "public CIO for security," none more vocally than Paul Kurtz,
: the executive director of the Cyber Security Industry Alliance.
Hire a Czar, that's an original thought..
U.S. cybersecurity chief resigns
http://www.infoworld.com/infoworld/article/04/10/01/HNchiefresigns_1.html
Amit Yoran, director of the DHS National Cyber Security Division since
September 2003 resigns.
--
U.S. Cybersecurity Czar to Resign
http://www.wired.com/news/politics/0,1283,57454,00.html
Richard Clarke, currently the nation's top cybersecurity adviser, will
resign from government.
Having a "cyber security czar" is a pointless task unless his position
means something, and has some real power.
: Eliminate All Coding Errors Within Two Years
: Mary Ann Davidson, CSO of Oracle and champion of the quality coding
: movement, says she's tired of coders arguing that their jobs are too
: creative to eliminate errors such as buffer overflowsthat coding's an
: art, not a science.
:
: Davidson knows that, with billions of lines of legacy code and billions
: more in development, eliminating all coding errors is quite a lofty
: goal.
Oh this is hands down the most amusing, ironic AND disgusting thing I have
read in a while. Hey Mary, you hypocritical pop tart, YOU WORK FOR ORACLE.
Your products have more vulnerabilities than features year after year! You
are the *last* person/company that should EVER speak on security
practices. Davidson has been with Oracle for more than 15 years and the
amount of vulnerabilities in their products is getting *worse*, not
better. You show the rest of the world that your idea can work at Oracle,
and I am sure the rest will follow.
: Pry PCs from Their Cold, Dead Hands
: Guns are dangerous; therefore, we license them. We give them unique
: serial numbers and control their distribution. James Whittaker says
: programmable PCs are dangerous, so why not treat them like guns?
According to the CDC, there were 17,638 homicides in 2002 [1]. We license
guns for a reason. In 2001, there were 42,443 deaths from automobile
accidents injuries [2]. We license automobile drivers for a reason.
In 2001, 2002, 2003 and 2004, how many deaths were attributed to
computers?
According to one worldwide study, smoking was blamed for 5 million deaths
in 2000 [3], and we don't even license people to purchase smoking
products.
Statistics and logic aside, who determines or standardizes the licensing?
Who issues them? Who polices and revokes them?
: Call the Cybercops
: With a "Cyberpol," you could license private eyes and forensic experts
: who not only would facilitate the cooperation but also would improve
: response time, as there already isn't enough law enforcement for
: cybercrime.
And should this 'Cyberpol' follow 'Interpol'? What happens when a country
doesn't participate or honor Interpol requests? What happens when a
"licensed private eye" goes to a U.S. based ISP and asks for logs that
require a federal supoena? It just added a layer of bureaucracy and
hindered the investigation, potentially when time is critical.
: Unleash the Power ofXML and Meta-Data
: Several people suggest using XML and meta-data to tag websites with
: safety, reputation, past performance and other security ratings to act
: as signposts for dangerous cyberneighborhoods. A virtual Better Business
: Bureau could manage the data so that when users visit a website, their
: computers pull down the XML meta-data about that site.
This has an obvious problem. Who exactly decides what sites are bad.. this
new virtual BBB? Take organizations that try to do this for specific areas
of the industry right now. SpamCop or other blackhole list maintainers and
commercial content filter products are the first to come to mind. If these
are indications of what this virtual BBB might accomplish, no thanks. Many
people feel they do as much harm as they do good.
My domain has sent out 0 spam in the past 5 years, yet we have been
blacklisted on at least three different RBL lists including SpamCop
(several times). Each time it took a small miracle to get the domain
removed entirely due to THEIR process for handling such cases. Almost
every single content filtering software blocks my domain .. why? Criminal
activity says one.. pornography says another.. hacker material says a
third. Yet every security company and federal law enforcement agency
*relied* on the information we provided for several years. These
designations are copletely subjective based on the audience, something no
software or programmer can adequately determine and enforce.
How exactly is this proposed BBB going to handle rating the 60,442,655 web
sites available in March of 2005 [4]?
All in all, this list of Big Ideas seem like a Big joke mostly written by
Big windbags that don't understand the Big internet that they propose to
drastically change.
jericho
attrition.org
[1] http://www.cdc.gov/nchs/fastats/homicide.htm
[2] http://www.wrongdiagnosis.com/a/automobile_accidents_injury/deaths.htm
[3] http://my.webmd.com/content/article/97/104239.htm?z=1728_00000_1000_nd_04
[4] http://news.netcraft.com/archives/web_server_survey.html
_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005